Automated Malware Analysis Report For

ID: 398190 Cookbook: browseurl.jbs Time: 04:57:58 Date: 27/04/2021 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report https://t.co/zi3FWnDVDp 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 9 Private 9 General Information 9 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 15 No static file info 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 15 UDP Packets 17 DNS Queries 17 DNS Answers 17 HTTPS Packets 17 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 19 Analysis Process: iexplore.exe PID: 5732 Parent PID: 792 19 General 19 File Activities 19 Copyright Joe Security LLC 2021 Page 2 of 20 Registry Activities 19 Analysis Process: iexplore.exe PID: 5780 Parent PID: 5732 19 General 19 File Activities 19 Registry Activities 20 Disassembly 20

Overview

General Information Detection Signatures Classification

Sample URL: https://t.co/zi3FWnD No high impact signatures. VDp Analysis ID: 398190 Infos:

Most interesting Screenshot: Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80%

Startup

System is w10x64 iexplore.exe (PID: 5732 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 5780 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5732 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups

Behavior Graph

Copyright Joe Security LLC 2021 Page 5 of 20 Hide Legend Behavior Graph Legend: ID: 398190 Process URL: https://t.co/zi3FWnDVDp Signature Startdate: 27/04/2021 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped

Is Windows Process

Number of created Registry Values

favicon.ico started Number of created Files

Visual Basic

Delphi

iexplore.exe Java .Net C# or VB.NET

C, C++ or other language 2 61 Is malicious

Internet started

iexplore.exe

2 36

t.co auspost-mypost-track.from-id.com 192.168.2.1 104.244.42.133, 443, 49680, 49681 66.29.133.243, 443, 49682, 49683 unknown TWITTERUS ADVANTAGECOMUS unknown United States United States

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link https://t.co/zi3FWnDVDp 0% Virustotal Browse https://t.co/zi3FWnDVDp 0% Avira URL Cloud safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link https://auspost-mypost-track.from-id.com/do/-track.from-id.com/o/Root 0% Avira URL Cloud safe https://auspost-mypost-track.from-id.com/o/ 0% Avira URL Cloud safe https://auspost-mypost-track.from-id.com/do/Root 0% Avira URL Cloud safe

Copyright Joe Security LLC 2021 Page 7 of 20 Source Detection Scanner Label Link https://auspost-mypost-track.from-id.com/o/z 0% Avira URL Cloud safe getbootstrap.com) 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation t.co 104.244.42.133 true false high auspost-mypost-track.from-id.com 66.29.133.243 true false unknown favicon.ico unknown unknown false unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation https://auspost-mypost-track.from-id.com/ false unknown https://auspost-mypost-track.from-id.com/do/ false unknown

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://auspost-mypost-track.from-id.com/do/ {E7359BFB-A74F-11EB-90E4-ECF4B false unknown B862DED}.dat.1.dr, ~DF634290F9 B3C49363.TMP.1.dr www.apache.org/licenses/LICENSE-2.0 bootstrap.min[1].css.2.dr false high https://auspost-mypost-track.from-id.com/do/-track.from- {E7359BFB-A74F-11EB-90E4-ECF4B false Avira URL Cloud: safe unknown id.com/o/Root B862DED}.dat.1.dr https://auspost-mypost-track.from-id.com/o/ ~DF634290F9B3C49363.TMP.1.dr false Avira URL Cloud: safe unknown https://auspost-mypost-track.from-id.com/do/Root {E7359BFB-A74F-11EB-90E4-ECF4B false Avira URL Cloud: safe unknown B862DED}.dat.1.dr https://auspost-mypost-track.from-id.com/o/z {E7359BFB-A74F-11EB-90E4-ECF4B false Avira URL Cloud: safe unknown B862DED}.dat.1.dr getbootstrap.com) bootstrap.min[1].css.2.dr false Avira URL Cloud: safe low

Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

IP Domain Country Flag ASN ASN Name Malicious 66.29.133.243 auspost-mypost- United States 19538 ADVANTAGECOMUS false track.from-id.com 104.244.42.133 t.co United States 13414 TWITTERUS false

Private

IP 192.168.2.1

General Information

Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 398190 Start date: 27.04.2021 Start time: 04:57:58 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 32s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://t.co/zi3FWnDVDp Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@3/14@3/3 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://auspost-mypost-track.from- id.com/ Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, ielowutil.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 88.221.62.148, 152.199.19.161 Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, ie9comview.vo.msecnd.net, go.microsoft.com.edgekey.net, cs9.wpc.v0cdn.net

Simulations

Behavior and APIs

No simulations

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E7359BF9-A74F-11EB-90E4-ECF4BB862DED}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 30296 Entropy (8bit): 1.8541284057279128 Encrypted: false SSDEEP: 192:rFZWZk2TWJutJlfJ/lMICBIBurfBuscsX:rLSzqJOJ9J+ICBIBurBusl MD5: 1D0CF13960287A3F78D182E4842A73B4 SHA1: 9FCD946292ABC924AE5EF4D9E9745990FB553901 SHA-256: FAA3E73D72507C7A769319DC130ACA752E4FBD8B709C03CE6241ACD7C4C81516 SHA-512: 111C72389A0A6A75E89DEAADCADCB3F7DF3BC5F384C8DCF029826135012B30C2D8BE580556DB417BFF5618D7D75E6088F36BD0C925CF5EC7758408A849ABC96 4 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E7359BFB-A74F-11EB-90E4-ECF4BB862DED}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 34206 Entropy (8bit): 1.8638459576618218 Encrypted: false SSDEEP: 192:rvZEQw6ekYjD12dWsMET5cf2Bw/2JSeEfB6FsvJTWWJzTQL:rRNb/aDs0pKkBOK0N MD5: 5B796611A354233BEA5728E08ED1ABAC SHA1: 03F23FCC988F94CCC22606395DB24E757CEDCD06 SHA-256: 38F0170CAE208075BB4545808AA459D2B33C7890E0383C76E97CC2D242740285 SHA-512: 29C3CBC21F931409BAD6C8406BB2A064435990F706733AE67C45EA91F0A136BAE9B52B38C95DACDF26ACE4308C837E2AE7B22386C2F8DD2C801BADAAA92277 73 Malicious: false Reputation: low

Copyright Joe Security LLC 2021 Page 10 of 20 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E7359BFB-A74F-11EB-90E4-ECF4BB862DED}.dat Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E7359BFC-A74F-11EB-90E4-ECF4BB862DED}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 16984 Entropy (8bit): 1.5655285511578583 Encrypted: false SSDEEP: 48:IwVGcpr4hGwpatG4pQjGrapbSJGQpKLG7HpRFTGIpG:rLZ47QP6HBSDAKTTA MD5: 7E99A6E3564F0517610020E1B0853B4C SHA1: F28B1D4BF3A40F2965921E01DC007AFEF8E6197B SHA-256: 7CF6BF88E77A72050CABE219237464F68202B4C98514736A1A1B7ABE1797557F SHA-512: C0BCA9672842CC451551C5B6BA5483ADAD560DE700870B5B39EB2F1FDB958B8E5C773F5D3FF12D0072A69822841CCB6A544A6746B1F34615ACDE923AB4A1EC4 D Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\styles[1].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text Category: downloaded Size (bytes): 2718 Entropy (8bit): 4.752870477390812 Encrypted: false SSDEEP: 48:UlGJheCvwyPX81A8hILnXygiqgXwlcItExf7RPEDR3xZMzI3eyrz/w:UwJvIy4ITXygie9KDRaRB+Muyf/w MD5: A2C4529DFB2A4CA30E410366B7C8481E SHA1: 4C459201CC88C638F6BF46C19626E04C10874ED1 SHA-256: 24EBF8094B2FF50F6D3A3293536E506F1542C032C7F9BA13A75DF16464C2C9CA SHA-512: 30B1D467BAE7805F2D5D7395161B2007C47325A8C09C03A7159C0ADEDBB989691D4991F8B46190698E8CD9A409A5B94B1A273229DFF10F709213D50530086039 Malicious: false Reputation: low IE Cache URL: https://auspost-mypost-track.from-id.com/error_docs/styles.css Preview: /* Copyright 1999-2021. Plesk International GmbH. All rights reserved. */.html {. overflow-y: scroll;. color: #000;. font: 400 62.5%/1.4 "Helvetica Neue", Helvetica, Arial , sans-serif;. -webkit-text-size-adjust: 100%;. -ms-text-size-adjust: 100%;. -webkit-tap-highlight-color: transparent;.}.body,.html {. height: 100%;. min-height: 100 %;.}.body {. margin: 0;. font-size: 1.3rem;. background: #fff;. color: #000;.}.a {. cursor: pointer;. text-decoration: none;. color: #2498e3;. background-color: transparent;.}.a:active,.a:hover {. text-decoration: underline;. color: #188dd9;. outline: 0;.}.h1,.h2 {. margin: 0 0 0.5rem;. color: #444;. font-weight: 400;. line- height: 1;.}.h1 { font-size: 2.4rem; }.h2 { font-size: 3.6rem; }..error-code {. color: #f47755;. font-size: 8rem;. line-height: 1;.}.p { margin: 1.2rem 0; }.p.lead {. font- size: 1.6rem;. color: #4f5a64;.}.hr {. box-sizing: content-box;. height: 0;.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\centos-header[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 1200 x 150, 8-bit/color RGB, non-interlaced Category: downloaded Size (bytes): 28888 Entropy (8bit): 7.969370352999393 Encrypted: false SSDEEP: 768:14OW5zp4q4on1RpnfquH/JARNd95BXonrtKlsNTukAU:eKbonL9fqufJARx34BskAU MD5: 558D2DF684886415D9269F8147CC544A SHA1: 932F242521D78AABB55AF0D8AC629C1A809B93B2 SHA-256: C1E2012CD07621AEED2239704F6981E07A892020F43CCB8A009262D9D32BE86F SHA-512: 28C68D143DAF31ACA1AD1FF2DCC064AB855BD177794537D6271E34CBCE05FEDEEA3742E5853E774B73A9518BE838D0F740EC7A7EC3933D87E62914D416C5590 D Malicious: false Reputation: low IE Cache URL: https://auspost-mypost-track.from-id.com/noindex/common/images/centos-header.png

Copyright Joe Security LLC 2021 Page 11 of 20 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\centos-header[1].png Preview: .PNG...... IHDR...... A...... zTXtRaw profile type exif..x.VY.....)|.a...5.7..T]].5...H.$D.`&.....{..."...Ezu.pi...... i...y_..Gg.E^...."A+....R..>.....U^b.z.U...P(.2.3_'_E....#~:...... }..0 .A.p.%$..|,...*...I.g"...._y....|....k.3...G....N...g.n.~...../..z....o.{.gwM....7.....'d.^...C?...]..Ml..D.J..7)Mj.i...... Z...,%..I.s..(.aJ.....b....v..c..0....+...... _..}....V..O.....yb.(..bj7.T...~.b....sb. ..n..[r.,..L.|..*.D.mp...\.BANW0..pL...9.r..d.x.KV..9.....{..?b...a...... TM.....VLL..-,.Zsqus..S.ZHhXxDd.h).i...Y.U..2f.G5j.Z[...... 7.:w..{....6.>C...1r..&O.(.e.....h!...[.b.m...... n.X{Y.. .w..7k...7Qg^|..q..:...g`...x....|8..T.0w8.*K.1..v.t.....m./.>..K.....y.+.....r....?y.....r+7A'..)*. ..kF.]am...#b..c<.q.....Uqp....x;R...... d:c]..n.zE....q...... wk.G...:4.9.o..rU.N2.eG....# .P..Y%.e....&.].C...... ~...r$v..-X.K`.;6M;\2..W.|..4D....5G.U.O]...... voh....U..B..2.\.H9&....D./H...... @.x...w.i!.VT0X.'X.aT.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\server[1].svg Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: SVG Scalable Vector Graphics image Category: downloaded Size (bytes): 7416 Entropy (8bit): 4.434392137234273 Encrypted: false SSDEEP: 96:ZnZzYAxkMGgJYmXvOFPnRjvQSmoWV8euLVD/+2G4fVX/No8jZ81DfIf/fcfwfGfv:ZnZzY50io8e8Gqh8DAXk4+GMvX/2Ve MD5: 1CC0945F8514ED0F47A5D9D513782BDD SHA1: D6989F342CDB9886F48A6D3DA3CB71353BBAB1EF SHA-256: F74B80306280CCF2DDC635EB09F5F36070EE5769365B0A7A53CA3747602EEBCB SHA-512: AE424891FCCBF85B3A06B6A74EB753FD129F51A8A516E671B2ECC2736FFA605F5888786ED8238A147FD5827DCBD3C0D8C12E079B8C1166E94AB49929CC7C656 D Malicious: false Reputation: low IE Cache URL: https://auspost-mypost-track.from-id.com/error_docs/server.svg Preview:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pb-apache[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced Category: downloaded Size (bytes): 103267 Entropy (8bit): 2.851641874630278 Encrypted: false SSDEEP: 768:TKhzgBkRQRV9e2JjOZeNeFnbcz5zAdw2N7CsMheIH7HMIw:ehzSkIV9FweNQbcyw2NusMheILU MD5: 31CD7C3FB2E50272E697A234310E45B1 SHA1: 2948DE2165B9270D09D1D5B1BEFA3104FABD7586 SHA-256: 216DCBAC83F24851E6EE10573F4C3CCA0C286F59B08C7CB036E06BAD3BA6BC8D SHA-512: 854F3F8BA2A471D9AE9284B15FBF466BAB5A49686EF25E35D548871BAFA25B866F1BD3B1701011F221F7C520F6857633FF530C34673C4FC45F35BAC8A98A2246 Malicious: false Reputation: low IE Cache URL: https://auspost-mypost-track.from-id.com/noindex/common/images/pb-apache.png Copyright Joe Security LLC 2021 Page 12 of 20 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pb-apache[1].png Preview: .PNG...... IHDR...... <.q...0.zTXtRaw profile type exif..x..i..9.....u..P.....`.?.{.L&...e.U.`..9.P}.Ba....s.....|...f..../...... >_....._...... E.G.....z...... |C...... }/..._.L...7.;..R..<.F .?....|..W..Q.._.....].^...... (RO....C2..?#e...... s?...... \...... y..,.:...|r.uD..`....w..{>w7ruLW..._...LiN.m.?....o.O...... =D....v.....b.'6..bz?..b..-..?...c}v2.d.r....c..s.>..3 >y.^....o....~...... t.....s..B.ah..7.bA...iy...... ?-lb..f.....K..~.Vz.|q.4.O.....`....&$V..J....[...>....d.Bq%nF.sJ..!..l...{m,..c...(....@,V.%W.....J*..RK+Vz.5.\K..U..h..VZm.Y.mX.l.53.6z.. .+.Qo.z.c.#..5x...3.4.,..6m.9...*...l.5v.i..n...... P:..SO;v...X...[n....w.X...}.~_..z..w..[(...\5~.._.....5c.b..x....Qk.-...rZ3.cr)..(..g...+.O...k.s..u....?]....sZ...+.t...?...... HY...... E#...N... c.v.7.K.9f.}+..p.;.....n)_.g.4..`.^5.c-t...... [email protected]]..~....m~i.1.}.._..?....v.o..Q...L>.}xE.].F...`...4..+w..}...c...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pb-centos[1].png Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced Category: downloaded Size (bytes): 13122 Entropy (8bit): 7.972711594823633 Encrypted: false SSDEEP: 384:fLdMlliF2VdfXcVCiWm20M7VRV7BoyJM5l:T6ncV+b7VRV7Y MD5: 6F6164698BBA8DA3A92CC8A1E93F5349 SHA1: 6E63C7B6E4AAF9A1CF72AD48257BDB94721752FB SHA-256: 4EF4E8C41028A150529A47054167E556F7DA210B005D9539E73BC241334FF5CF SHA-512: C0F2CB855218EB06104F72BBF910AB9A23046CE6A66078C3F57B4606F8D562774BEEB23744AD0F247F81976AF207F8C104EDF84E55B87D12DE30F1ABA9DB5BE2 Malicious: false Reputation: low IE Cache URL: https://auspost-mypost-track.from-id.com/noindex/common/images/pb-centos.png Preview: .PNG...... IHDR...... <.q.....sBIT....|.d.....pHYs...|...|.(..;....tEXtSoftware.www.inkscape.org..<... .IDATx..w\T....K....h.....;.c..bY@.'1=...Mro.71..bz.Q).h.-...... X..H...... ~. ....K...... 3...... "T...8U..jE...... R4G.....\....J.J@..@>R..!.5...D.Tj..R.ILL<[[...... J...../....+...... -.R. U.>.T.HJJ:...... kr||....R2...4k.6. .G.C"...rUJ....I...IX"&&a..R...B..A&rJ .....,1q'.#.. _^X*UB..r..L..h..X.9.L.8}...(...c..IaM.>..B.+.|...... R.*.7I.../.7vs../%....t.R?".1$...=..HJ...... 1....J5...... 4...... _..|}}...... +...:e.z.q...... P\\L....;v..Zm.f5D..r...... ,{Wf-...... (.....RP.. nt...{."...W_|...w...... ?p...... %?..F.AJ...... l^...... u.t...99...X..[....(_IIY.iK...... i..Q.O..O...-l..3..I...:_tAA!...|...... q..U***.]...R...W.x.R\]]...e@.~L..a.{....t.J%.....q.B...'55.#.i...Zs +..t.j.*6.}7....-..=P4v.nA...g.....R..,....?o...}z...+,,...i.9..B...8z.8...... %%..TTTr..E~^...... N...... s..!.]...A.y.oO...... 3...7./.W.O...s.=}n..+66

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\styles[1].css Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: ASCII text, with very long lines Category: downloaded Size (bytes): 71634 Entropy (8bit): 6.073920446755576 Encrypted: false SSDEEP: 1536:yajsUQ7S3Uk9NRX+EKpUEv5RUOkBd0DPHiDCthlTcnszKj:fvxEkRXLSmnBd8CDCtT8sOj MD5: 3CBDFBA235B7EE9F3354953377CB6ECD SHA1: 887A1C955362FB5FEC744F48B4DDA73BDD392354 SHA-256: 161EDA4990B01D918D7F5E7839DE3B6C9298ABA1028864D5AA1DEDFB4B0E2B6B SHA-512: A072E3997A6DC3BF1912AE26362AD1BD777C28561A177F06FC1E6659AA3BED9F4C6A57ACAF8F40A17AF710DF81D083C13DCB80DF6170291D16DB8DC9908156E 3 Malicious: false Reputation: low IE Cache URL: https://auspost-mypost-track.from-id.com/noindex/common/css/styles.css Preview: /*. * Normalize & Bootstrap.======*/..body {. padding: 0 0 40px;. font-size: medium;. line-height: 1.5em;. color: #333;. font-family: "DejaVu Sans", "Liberation Sans", "Trebuchet MS", "Bitstream Vera Sans", helvetica, verdana, arial, sans-serif;. }../*. * Global & Overrides.======*/../* Typography */.h1 {. font-family: Overpass, "DejaVu Sans", "Liberation Sans", "Trebuchet MS", "Bitstream Vera Sans", helvetica, verdana, arial, sans-serif;. padding: 0; margin-bottom: 20px;. }.h2 {. font-family: Overpass, "DejaVu Sans", "Liberation Sans", "Trebuchet MS", "Bitstream Vera Sans", helvetica, verdana, arial, sans-serif;. padding: 0; margin-bottom: 10px;. }.h3 {. font-family: Overpass, "DejaVu Sans", "Liberation Sans", "Trebuchet MS", "Bitstream Vera Sans", helvetica, verdana, arial, sans- serif;. padding: 0; margin-bottom: 10px;. }.h4 {. font-family: Overpass, "DejaVu Sans", "Liberation Sans", "Trebuchet MS", "Bitstream Vera Sans", helvet

C:\Users\user\AppData\Local\Temp\datA999.tmp

Process: C:\Program Files (x86)\Internet Explorer\iexplore.exe File Type: Web Open Font Format, TrueType, length 51084, version 1.0 Category: dropped Size (bytes): 51084 Entropy (8bit): 7.990919104901858 Encrypted: true SSDEEP: 1536:7K0++2pkH7BdZ1uDGPNUvqDuCikYK3mA/:7K0++2mp0GlUw+kYKj MD5: 33C5B9A394DA526D8A9540A2870A36EE SHA1: 758080FB953FAAB0B9D7BECF0E96B0DE2E4FAA07 SHA-256: E4CA624B972A6FA546931BCA7CD8A89EC49CF9C2482C1133A61349076C2D23D8 SHA-512: CD1EBA6DAC638C841029D465A968786CDAC1944CEC12A507B6D86CE5229BEECEE7B1F0374237147DE846279DF8050F850481172EF3476204344F6A9B2AC8BF92 Malicious: false Reputation: low

Preview: wOFF...... 8...... FFTM...... dR..GDEF...... M...\....GPOS...... pGSUB...... v..3KOS/2...... Q...`ufdycmap...4...... k...cvt ...... 6...6.k..fpgm...,...... eS. /.gasp...... glyf...... j..a..head...... 3...6....hhea...,...!...$.c.1hmtx...P...... k..loca...... k$.$maxp...x...... vname...... F...\I.gXpost...... A+..prep...... 7..B.webf...... "7R7...... =...... ? .....\.x...... @...?...`u.(.V...F..f.|.!.../A...... l/Z...... u....c...W../{...... x....UU...{..}3of.|2.....h""...... !#..4".\."_.*.....G.SVS.Pi..&..bj...... V6Y....yo..F.Y.... .s.=w.s.....{2I1].E..?~.2..N../.>Rc.i.O9{.,...).\N).....\+....>w....g.....{.y*w..TY|].y..Y.|Eh.n.....n.#y.3..L....y...".F..y..#.W...... fK.6y...."o.w...... [.}<.....y.m...w4..[..$Z..v...|.8...^...... { [.....R..>..oA..+..qVam...Z.-D...7yK.w..Yx..8).E...,..w.....Fz.,..b...... ABe..LPCP.&.0H.....6..A...6.L.....F...[.9j..j....34...j..`&..\...+y...`5X

C:\Users\user\AppData\Local\Temp\~DF634290F9B3C49363.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 43415 Entropy (8bit): 0.44922763388755577 Encrypted: false SSDEEP: 96:kBqoxKAuvScS+JD71kHQ51W21f1keE1N1j1I1IQP1:kBqoxKAuqR+JD71kHQ5U2JSeEfB6XP MD5: 0D04AD8B5FCF2EF33465461B7CF91CA9 SHA1: 509BB77D64B78257D1F933E9009EAA678C68E08E SHA-256: 377A83BEF60F014254EB4F589E0C80C8F2254B4EFC28E889C7492CB3C1E4BE14 SHA-512: B6863F8AEC6984D32BCEE9353547E8F66BD4EED627B7B079F5A40711EAE63DA4D7DB9BCEFD2B466DEAD6266ABBE6DC0C0F169BE4F72F27C8C77687965103C EE9 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\AppData\Local\Temp\~DF95F18FC655C951AA.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 25441 Entropy (8bit): 0.27918767598683664 Encrypted: false SSDEEP: 24:c9lLh9lLh9lIn9lIn9lRx/9lRJ9lTb9lTb9lSSU9lSSU9laAa/9laA:kBqoxxJhHWSVSEab MD5: AB889A32AB9ACD33E816C2422337C69A SHA1: 1190C6B34DED2D295827C2A88310D10A8B90B59B SHA-256: 4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA SHA-512: BD250855747BB4CEC61814D0E44F810156D390E3E9F120A12935EFDF80ACA33C4777AD66257CCA4E4003FEF0741692894980B9298F01C4CDD2D8A9C7BB522FB6 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\AppData\Local\Temp\~DFCF63743DC36CB342.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 13029 Entropy (8bit): 0.4816957495549664 Encrypted: false SSDEEP: 24:c9lLh9lLh9lIn9lIn9loeF9loi9lW2N+C+KbAs9:kBqoI972N+C+yAs9 MD5: 481AB7DC257B1BDC6C2803075DE854F7 SHA1: 4A8C7FCC6367DA50F07CBE1D7E51A12C26FC44CD SHA-256: 22E4C817D961A7EC741A297793C7E9CFFE7594FE3304F5E6A1AE18A91BE4123C SHA-512: FFB8C3D1FF9075395FEDA8F1AA48427964701EEC9771699CE0C9B3E5F370A990A20509766B44DD81565C0D6DC817229E5A41725903E922CB42DE1A627F1437DB Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

No static file info

Network Behavior

Network Port Distribution

Total Packets: 58 • 53 (DNS) • 443 (HTTPS)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Apr 27, 2021 04:58:41.516976118 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.518615961 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.557969093 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.558182955 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.559369087 CEST 443 49681 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.559524059 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.563301086 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.563544989 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.604273081 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.604331017 CEST 443 49681 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.605190992 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.605268002 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.605277061 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.605338097 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.605336905 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.605393887 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.605432034 CEST 443 49681 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.605495930 CEST 443 49681 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.605532885 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.605547905 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.605554104 CEST 443 49681 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.605628014 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.640358925 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.641258955 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.646549940 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.646934032 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.647391081 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.683525085 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.683614016 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.683686018 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.683767080 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.683826923 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.684328079 CEST 443 49681 104.244.42.133 192.168.2.3 Copyright Joe Security LLC 2021 Page 15 of 20 Timestamp Source Port Dest Port Source IP Dest IP Apr 27, 2021 04:58:41.684436083 CEST 443 49681 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.684601068 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.685158968 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.689057112 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.689085960 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.689250946 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.690171957 CEST 443 49681 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.690205097 CEST 443 49681 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.690376043 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.690735102 CEST 49681 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.724838972 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.768734932 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.771754026 CEST 443 49681 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.813638926 CEST 443 49680 104.244.42.133 192.168.2.3 Apr 27, 2021 04:58:41.813864946 CEST 49680 443 192.168.2.3 104.244.42.133 Apr 27, 2021 04:58:41.912713051 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:41.912820101 CEST 49683 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.100244999 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.100316048 CEST 443 49683 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.100498915 CEST 49683 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.100568056 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.101598024 CEST 49683 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.102277040 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.289757967 CEST 443 49683 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.289818048 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.290901899 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.290956020 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.290996075 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.291126966 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.291223049 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.292191029 CEST 443 49683 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.292246103 CEST 443 49683 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.292285919 CEST 443 49683 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.292320013 CEST 49683 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.292376041 CEST 49683 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.309302092 CEST 49683 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.309319973 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.309740067 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.309891939 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.310024023 CEST 49683 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.497160912 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.497225046 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.497255087 CEST 443 49683 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.497350931 CEST 443 49683 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.497400045 CEST 443 49683 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.497401953 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.497423887 CEST 49683 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.497462034 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.497462034 CEST 49683 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.498485088 CEST 49683 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.498656034 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.581070900 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.581218004 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.663604975 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.726798058 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.726860046 CEST 443 49683 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.851135015 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.856122017 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.856177092 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.856204987 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.856240034 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:42.856370926 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.856416941 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:42.857597113 CEST 49682 443 192.168.2.3 66.29.133.243

Copyright Joe Security LLC 2021 Page 16 of 20 Timestamp Source Port Dest Port Source IP Dest IP Apr 27, 2021 04:58:42.893994093 CEST 49682 443 192.168.2.3 66.29.133.243 Apr 27, 2021 04:58:43.086483955 CEST 443 49682 66.29.133.243 192.168.2.3 Apr 27, 2021 04:58:43.086555004 CEST 443 49682 66.29.133.243 192.168.2.3

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Apr 27, 2021 04:58:40.419610977 CEST 54260 53 192.168.2.3 8.8.8.8 Apr 27, 2021 04:58:40.480642080 CEST 53 54260 8.8.8.8 192.168.2.3 Apr 27, 2021 04:58:41.436110020 CEST 51904 53 192.168.2.3 8.8.8.8 Apr 27, 2021 04:58:41.486151934 CEST 53 51904 8.8.8.8 192.168.2.3 Apr 27, 2021 04:58:41.839752913 CEST 61328 53 192.168.2.3 8.8.8.8 Apr 27, 2021 04:58:41.907157898 CEST 53 61328 8.8.8.8 192.168.2.3 Apr 27, 2021 04:58:57.794397116 CEST 54130 53 192.168.2.3 8.8.8.8 Apr 27, 2021 04:58:57.851759911 CEST 53 54130 8.8.8.8 192.168.2.3 Apr 27, 2021 04:59:10.421883106 CEST 56961 53 192.168.2.3 8.8.8.8 Apr 27, 2021 04:59:10.472809076 CEST 53 56961 8.8.8.8 192.168.2.3 Apr 27, 2021 04:59:11.059976101 CEST 59353 53 192.168.2.3 8.8.8.8 Apr 27, 2021 04:59:11.120444059 CEST 53 59353 8.8.8.8 192.168.2.3

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Apr 27, 2021 04:58:41.436110020 CEST 192.168.2.3 8.8.8.8 0x48c5 Standard query t.co A (IP address) IN (0x0001) (0) Apr 27, 2021 04:58:41.839752913 CEST 192.168.2.3 8.8.8.8 0x107 Standard query auspost-mypost- A (IP address) IN (0x0001) (0) track.from-id.com Apr 27, 2021 04:58:57.794397116 CEST 192.168.2.3 8.8.8.8 0x110c Standard query favicon.ico A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Apr 27, 2021 8.8.8.8 192.168.2.3 0x48c5 No error (0) t.co 104.244.42.133 A (IP address) IN (0x0001) 04:58:41.486151934 CEST Apr 27, 2021 8.8.8.8 192.168.2.3 0x48c5 No error (0) t.co 104.244.42.5 A (IP address) IN (0x0001) 04:58:41.486151934 CEST Apr 27, 2021 8.8.8.8 192.168.2.3 0x48c5 No error (0) t.co 104.244.42.69 A (IP address) IN (0x0001) 04:58:41.486151934 CEST Apr 27, 2021 8.8.8.8 192.168.2.3 0x48c5 No error (0) t.co 104.244.42.197 A (IP address) IN (0x0001) 04:58:41.486151934 CEST Apr 27, 2021 8.8.8.8 192.168.2.3 0x107 No error (0) auspost-mypost- 66.29.133.243 A (IP address) IN (0x0001) 04:58:41.907157898 track.from-id.com CEST Apr 27, 2021 8.8.8.8 192.168.2.3 0x110c Name error (3) favicon.ico none none A (IP address) IN (0x0001) 04:58:57.851759911 CEST

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Apr 27, 2021 104.244.42.133 443 192.168.2.3 49680 CN=t.co, O="Twitter, CN=DigiCert TLS RSA Fri Feb Sat Feb 771,49196-49195- 9e10692f1b7f78228b2d4e 04:58:41.605338097 Inc.", L=San Francisco, SHA256 2020 CA1, 05 05 49200-49199- 424db3a98c CEST ST=California, C=US O=DigiCert Inc, C=US 01:00:00 00:59:59 49188-49187- CN=DigiCert TLS RSA CN=DigiCert Global Root CET CET 49192-49191- SHA256 2020 CA1, CA, 2021 2022 49162-49161- O=DigiCert Inc, C=US OU=www.digicert.com, Thu Sep Tue Sep 49172-49171-157- O=DigiCert Inc, C=US 24 24 156-61-60-53-47- 02:00:00 01:59:59 10,0-10-11-13-35- CEST CEST 16-23-24- 2020 2030 65281,29-23-24,0 CN=DigiCert TLS RSA CN=DigiCert Global Root Thu Sep Tue Sep SHA256 2020 CA1, CA, 24 24 O=DigiCert Inc, C=US OU=www.digicert.com, 02:00:00 01:59:59 O=DigiCert Inc, C=US CEST CEST 2020 2030

Copyright Joe Security LLC 2021 Page 17 of 20 Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Apr 27, 2021 104.244.42.133 443 192.168.2.3 49681 CN=t.co, O="Twitter, CN=DigiCert TLS RSA Fri Feb Sat Feb 771,49196-49195- 9e10692f1b7f78228b2d4e 04:58:41.605554104 Inc.", L=San Francisco, SHA256 2020 CA1, 05 05 49200-49199- 424db3a98c CEST ST=California, C=US O=DigiCert Inc, C=US 01:00:00 00:59:59 49188-49187- CN=DigiCert TLS RSA CN=DigiCert Global Root CET CET 49192-49191- SHA256 2020 CA1, CA, 2021 2022 49162-49161- O=DigiCert Inc, C=US OU=www.digicert.com, Thu Sep Tue Sep 49172-49171-157- O=DigiCert Inc, C=US 24 24 156-61-60-53-47- 02:00:00 01:59:59 10,0-10-11-13-35- CEST CEST 16-23-24- 2020 2030 65281,29-23-24,0 CN=DigiCert TLS RSA CN=DigiCert Global Root Thu Sep Tue Sep SHA256 2020 CA1, CA, 24 24 O=DigiCert Inc, C=US OU=www.digicert.com, 02:00:00 01:59:59 O=DigiCert Inc, C=US CEST CEST 2020 2030 Apr 27, 2021 66.29.133.243 443 192.168.2.3 49682 CN=auspost-mypost- CN=R3, O=Let's Fri Apr Thu Jul 771,49196-49195- 9e10692f1b7f78228b2d4e 04:58:42.290956020 track.from-id.com Encrypt, C=US CN=DST 23 22 49200-49199- 424db3a98c CEST CN=R3, O=Let's Encrypt, Root CA X3, O=Digital 22:37:52 22:37:52 49188-49187- C=US Signature Trust Co. CEST CEST 49192-49191- 2021 2021 49162-49161- Wed Oct Wed 49172-49171-157- 07 Sep 29 156-61-60-53-47- 21:21:40 21:21:40 10,0-10-11-13-35- CEST CEST 16-23-24- 2020 2021 65281,29-23-24,0 CN=R3, O=Let's Encrypt, CN=DST Root CA X3, Wed Oct Wed C=US O=Digital Signature 07 Sep 29 Trust Co. 21:21:40 21:21:40 CEST CEST 2020 2021 Apr 27, 2021 66.29.133.243 443 192.168.2.3 49683 CN=auspost-mypost- CN=R3, O=Let's Fri Apr Thu Jul 771,49196-49195- 9e10692f1b7f78228b2d4e 04:58:42.292246103 track.from-id.com Encrypt, C=US CN=DST 23 22 49200-49199- 424db3a98c CEST CN=R3, O=Let's Encrypt, Root CA X3, O=Digital 22:37:52 22:37:52 49188-49187- C=US Signature Trust Co. CEST CEST 49192-49191- 2021 2021 49162-49161- Wed Oct Wed 49172-49171-157- 07 Sep 29 156-61-60-53-47- 21:21:40 21:21:40 10,0-10-11-13-35- CEST CEST 16-23-24- 2020 2021 65281,29-23-24,0 CN=R3, O=Let's Encrypt, CN=DST Root CA X3, Wed Oct Wed C=US O=Digital Signature 07 Sep 29 Trust Co. 21:21:40 21:21:40 CEST CEST 2020 2021

Code Manipulations

Statistics

Behavior

• iexplore.exe • iexplore.exe

Click to jump to process

Analysis Process: iexplore.exe PID: 5732 Parent PID: 792

General

Start time: 04:58:39 Start date: 27/04/2021 Path: C:\Program Files\internet explorer\iexplore.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Imagebase: 0x7ff75aef0000 File size: 823560 bytes MD5 hash: 6465CB92B25A7BC1DF8E01D8AC5E7596 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: iexplore.exe PID: 5780 Parent PID: 5732

General

Start time: 04:58:40 Start date: 27/04/2021 Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5732 CREDAT:17410 /prefetch:2 Imagebase: 0x380000 File size: 822536 bytes MD5 hash: 071277CC2E3DF41EEEA8013E2AB58D5A Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Name Type Data Completion Count Address Symbol

Disassembly